Hi, I try to get rid of cleartext passwords stored in a MySQL db, and replace them by NT hashes. I set up a test environment and first tried with an entry in users:
swinter NT-Password := "...", Auth-Type := Accept which worked okay. Storing the same password in MySQL did NOT work, with a quite spurious error, see below: Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:52635, id=148, length=59 User-Name = "swinter" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 1234 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "swinter", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 modcall[authorize]: module "files" returns notfound for request 1 radius_xlat: 'swinter' rlm_sql (sql): sql_set_user escaped user --> 'swinter' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'swinter' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'swinter' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'swinter' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'swinter' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 1 rlm_pap: Normalizing NT-Password from hex encoding modcall[authorize]: module "pap" returns updated for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type pap auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 1 rlm_pap: login attempt with password test rlm_pap: Using NT encryption. radius_xlat: Running registered xlat function of module mschap for string 'NT-Hash test' rlm_mschap: Unknown expansion string "NT-Hash test" radius_xlat: '' rlm_pap: mschap xlat failed rlm_pap: Passwords don't match modcall[authenticate]: module "pap" returns reject for request 1 modcall: leaving group PAP (returns reject) for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Especially the lines radius_xlat: Running registered xlat function of module mschap for string 'NT-Hash test' rlm_mschap: Unknown expansion string "NT-Hash test" radius_xlat: '' rlm_pap: mschap xlat failed appear suspicious ("test" is the password"). Maybe there's some xlat escaping wrong? The configuration in use is almost as shipped, only added sql config. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
pgpjxNOMQ4fzd.pgp
Description: PGP signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html